Reset multi_auth to initial state on error (#2007)

* Reset multi auth to initial state

* Also check if next-auth.session-token exists

---------

Co-authored-by: Keyan <[email protected]>

Author: ekzyis

Diff for: lib/auth.js

@@ -92,7 +92,7 @@ function switchSessionCookie (request) {
 }
 
 async function checkMultiAuthCookies (req, res) {
-  if (!req.cookies[MULTI_AUTH_LIST] || !req.cookies[MULTI_AUTH_POINTER]) {
+  if (!req.cookies[MULTI_AUTH_LIST] || !req.cookies[MULTI_AUTH_POINTER] || !req.cookies[SESSION_COOKIE]) {
     return false
   }
 
@@ -116,15 +116,23 @@ async function checkMultiAuthCookies (req, res) {
   return true
 }
 
-function resetMultiAuthCookies (req, res) {
+async function resetMultiAuthCookies (req, res) {
   const httpOnlyOptions = cookieOptions({ expires: 0, maxAge: 0 })
   const jsOptions = { ...httpOnlyOptions, httpOnly: false }
 
+  // remove all multi_auth cookies ...
   for (const key of Object.keys(req.cookies)) {
     if (!MULTI_AUTH_REGEXP.test(key)) continue
     const options = MULTI_AUTH_JWT_REGEXP.test(key) ? httpOnlyOptions : jsOptions
     res.appendHeader('Set-Cookie', cookie.serialize(key, '', options))
   }
+
+  // ... and reset to initial state if they are logged in
+  const token = req.cookies[SESSION_COOKIE]
+  if (!token) return
+
+  const decoded = await decodeJWT({ token, secret: process.env.NEXTAUTH_SECRET })
+  setMultiAuthCookies(req, res, { ...decoded, jwt: token })
 }
 
 async function refreshMultiAuthCookies (req, res) {
@@ -170,7 +178,7 @@ export async function multiAuthMiddleware (req, res) {
 
   const ok = await checkMultiAuthCookies(req, res)
   if (!ok) {
-    resetMultiAuthCookies(req, res)
+    await resetMultiAuthCookies(req, res)
     return switchSessionCookie(req)
   }